Overview

overview

10

Static

static

857aff9992...53.exe

windows7_x64

10

857aff9992...53.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    192s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    15-09-2021 16:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    857aff9992a47764185c61da2493c753.exe

  • Size

    407KB

  • MD5

    857aff9992a47764185c61da2493c753

  • SHA1

    6efa34cd3fdb299fcd940c0719d3a172bac83164

  • SHA256

    b73dc9d5947dd389cbae282955568d35ae3a38acd24983b116cdd8eb7ef67155

  • SHA512

    fbb2a5bfb068d4f56e338dc67f4d1a171af3156de2b3d956a0a1bd9526706f370cdff16cfb136049468b3a71db4c7ce99349265d3841db7775d5389b7aab798a

Score
10/10
njratnyan cattrojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

pedrobedoya2021.duckdns.org:1980

Mutex

cf13c225ff474d45b

Attributes
  • reg_key

    cf13c225ff474d45b

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\857aff9992a47764185c61da2493c753.exe
    "C:\Users\Admin\AppData\Local\Temp\857aff9992a47764185c61da2493c753.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\857aff9992a47764185c61da2493c753.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:988
    • C:\Users\Admin\AppData\Local\Temp\857aff9992a47764185c61da2493c753.exe
      "C:\Users\Admin\AppData\Local\Temp\857aff9992a47764185c61da2493c753.exe"
      2⤵
        PID:1748
      • C:\Users\Admin\AppData\Local\Temp\857aff9992a47764185c61da2493c753.exe
        "C:\Users\Admin\AppData\Local\Temp\857aff9992a47764185c61da2493c753.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1884

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/988-73-0x0000000004970000-0x0000000004971000-memory.dmp
      Filesize

      4KB

      Download
    • memory/988-86-0x00000000060E0000-0x00000000060E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/988-110-0x0000000006310000-0x0000000006311000-memory.dmp
      Filesize

      4KB

      Download
    • memory/988-109-0x0000000006300000-0x0000000006301000-memory.dmp
      Filesize

      4KB

      Download
    • memory/988-74-0x0000000004972000-0x0000000004973000-memory.dmp
      Filesize

      4KB

      Download
    • memory/988-65-0x0000000000000000-mapping.dmp
      Download
    • memory/988-66-0x0000000076A01000-0x0000000076A03000-memory.dmp
      Filesize

      8KB

      Download
    • memory/988-75-0x0000000002540000-0x0000000002541000-memory.dmp
      Filesize

      4KB

      Download
    • memory/988-95-0x0000000005610000-0x0000000005611000-memory.dmp
      Filesize

      4KB

      Download
    • memory/988-93-0x0000000006240000-0x0000000006241000-memory.dmp
      Filesize

      4KB

      Download
    • memory/988-71-0x0000000000A10000-0x0000000000A11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/988-72-0x00000000049B0000-0x00000000049B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/988-85-0x00000000060A0000-0x00000000060A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/988-84-0x000000007EF30000-0x000000007EF31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/988-79-0x0000000005690000-0x0000000005691000-memory.dmp
      Filesize

      4KB

      Download
    • memory/988-76-0x0000000004950000-0x0000000004951000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1884-67-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1884-69-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1884-94-0x00000000049E0000-0x00000000049E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1884-68-0x000000000040677E-mapping.dmp
      Download
    • memory/1980-64-0x0000000000370000-0x000000000038F000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1980-62-0x0000000000290000-0x0000000000297000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1980-61-0x00000000049A0000-0x00000000049A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1980-63-0x0000000004EF0000-0x0000000004F44000-memory.dmp
      Filesize

      336KB

      Download
    • memory/1980-0-0x00000000002B0000-0x00000000002B1000-memory.dmp
      Filesize

      4KB

      Download